socat -- buffer overflow with data from command line

Details

VuXML ID

a4c9e12d-88b7-11e3-8ada-10bf48e1088e

Discovery

2014-01-24

Entry

2014-01-29

Florian Weimer of the Red Hat Product Security Team reports:

Due to a missing check during assembly of the HTTP request line a long
target server name in the PROXY-CONNECT address can cause a stack buffer
overrun. Exploitation requires that the attacker is able to provide the
target server name to the PROXY-CONNECT address in the command line.
This can happen for example in scripts that receive data from untrusted
sources.